b'                                      REPORT ON\n                  INDEPENDENT EVALUATION AND ASSESSMENT OF\n                  INTERNAL CONTROL FOR CONTRACT OVERSIGHT\n\n                                SUBMITTED TO THE\n                    U.S. SECURITIES AND EXCHANGE COMMISSION\n                           OFFICE OF INSPECTOR GENERAL\n\n\n\n\nCotton & Company LLP\nAuditors \xc2\x8e Advisors\n333 North Fairfax Street, Suite 401\nAlexandria, Virginia 22314\n(703)836-6701\nwww.cottoncpa.com\n\x0cJune 25, 2004\n\nMr. Walter Stachnik\nInspector General\nU.S. Securities and Exchange Commission\n450 Fifth Street, NW\nWashington, DC 20549\n\nSubject:        Independent Evaluation and Assessment of Internal Control for Contract Oversight\n                Task Order No. SECJQ1-03-D-0175 (September 24, 2003)\n\nDear Mr. Stachnik:\n\nIn accordance with terms of the subject task order, Cotton & Company LLP performed an independent\nevaluation of the U.S. Securities and Exchange Commission\xe2\x80\x99s internal control over contract management\noversight of its customer service agreements with the Millennium Services Center (MSC) at the U.S.\nDepartment of Transportation (DOT) for services provided by Science Applications International\nCorporation (SAIC). The evaluation included review of management procedures and practices established\nto implement federal procurement, acquisition, and contract laws and regulations and the Commission\xe2\x80\x99s\nown procurement regulations and policies.\n\nThis evaluation focused on 1) the Commission\xe2\x80\x99s management controls used to obtain information\ntechnology (IT) support services through customer service agreements with MSC from November 2001\nthrough April 2003 under Commission Contract No. SECHQ1-00-H-0239, and 2) a review and\nassessment of all task orders issued from February 2000 through December 2003 and MSC invoices\nsubmitted through the U.S. Treasury\xe2\x80\x99s Interagency Payment and Collection (IPAC) system.\n\nWe identified specific control weaknesses and deficiencies and developed recommendations designed to\nimprove contract management oversight functions and procedures. We conducted the evaluation in\naccordance with Government Auditing Standards, as revised. We were not engaged to, and did not\nperform a financial statement audit, the purpose of which would be to express an opinion on specified\nelements, accounts, or items. This report is intended to meet the objectives described above and should\nnot be used for other purposes.\n\nPlease call me at (703) 836-6701 if you have questions.\n\nVery truly yours,\n\nCOTTON & COMPANY LLP\n\n\n\n\nMichael W. Gillespie, CPA, CFE\nPartner\n\x0c                                     CONTENTS\n\nSection                                         Page\nExecutive Summary                                  1\nScope, Objectives, and Methodology                 2\n   Scope and Objectives                            2\n   Methodology                                     2\nBackground                                         4\nEvaluation Results                                 5\n   1. Task Orders                                  5\n   2. Management Fees                              6\n   3. Invoice Certification                        6\n\x0c                                         REPORT ON\n                    INDEPENDENT EVALUATION AND ASSESSMENT OF\n                    INTERNAL CONTROL FOR CONTRACT OVERSIGHT\n\n                                  SUBMITTED TO THE\n                      U.S. SECURITIES AND EXCHANGE COMMISSION\n                             OFFICE OF INSPECTOR GENERAL\n\n\nEXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG), U.S. Securities and Exchange Commission, contracted\nwith Cotton & Company LLP to perform an independent evaluation of internal control over\ncontract management oversight of the Commission\xe2\x80\x99s customer service agreements (task orders)\nwith the Millennium Services Center (MSC) located at the U.S. Department of Transportation\n(DOT) for services provided by Science Applications International Corporation (SAIC). The\nevaluation included a review of management procedures and practices established to implement\nfederal procurement, acquisition, and contract laws and regulations and the Commission\xe2\x80\x99s own\nprocurement regulations and policies.\n\nWe conducted this evaluation from September 2003 to March 2004 in accordance with\nGovernment Auditing Standards, as promulgated by the Comptroller General in the "yellow\nbook\xe2\x80\x9d for performance audits, and AICPA standards for consulting services. We also adhered to\nall relevant federal and Commission guidelines.\n\nFor the time period covered by our review, the Commission did not establish adequate controls\nfor obtaining information technology (IT) support services using a customer service agreement\nwith MSC. Commission officials indicated that the controls were improved during the course of\nthe contract, including improvements made subsequent to our review period.\n\nThe Commission elected the option to have MSC maintain direct contract authority,\nadministrative responsibilities, and contract management control over SAIC\xe2\x80\x99s performance.\nHowever, this arrangement did not meet the oversight needs of the Office of Information\nTechnology (OIT), the office using SAIC\xe2\x80\x99s (and its subcontractors\xe2\x80\x99) services.\n\nWe noted specific control weaknesses over contract management oversight functions and\nprocedures with respect to the MSC customer service agreements, including:\n\n1. Commission task orders were not sufficiently detailed to fully describe the Commission\xe2\x80\x99s\nexpectations and the oversight responsibilities of the MSC and the Commission.\n\n2. MSC applied a management fee on SAIC invoices before sending them to the Commission.\nThe Commission\xe2\x80\x99s Contracting Officer\xe2\x80\x99s Technical Representative (COTR) stated that the COTR\nwas unaware of the amount or basis for the fees.\n\n3. The Commission\xe2\x80\x99s COTR certified invoices without sufficient supporting documentation. The\nCommission may have been billed labor costs for employees who did not work on Commission\ntasks. This weakness relates to the decision to have MSC be responsible for contract\nadministration. OIT technical staff did not clearly understand the limitations on their\nadministrative duties under the contract.\n\n\n                                               1\n\x0cWe are recommending enhancing the Commission\xe2\x80\x99s existing policies and procedures and COTR\ntraining to improve the controls over task orders under customer service agreements with other\nfederal agencies.\n\nSCOPE, OBJECTIVES, AND METHODOLOGY\n\nScope and Objectives\n\nThe Commission\xe2\x80\x99s OIG contracted with Cotton & Company LLP to perform an independent\nevaluation of its internal control over contract management oversight of the customer service\nagreements with MSC. The evaluation included review of management procedures and practices\nestablished to implement federal procurement, acquisition, and contract laws and regulations and\nthe Commission\xe2\x80\x99s own procurement regulations and policies.\n\nThis evaluation focused on 1) the Commission\xe2\x80\x99s management controls used to obtain IT support\nservices through customer service agreements with MSC from November 2001 through April\n2003 under Commission Contract No. SECHQ1-00-H-0239, and 2) a review and assessment of\nall task orders issued from February 2000 through December 2003 and MSC invoices submitted\nthrough the U.S. Treasury\xe2\x80\x99s Interagency Payment and Collection (IPAC) system.\n\nThe evaluation covered key phases of contract oversight processes for initiating and issuing task\norders; modifying task orders; obligating and controlling funds; monitoring contractor activities;\nand assessing contractor performance. The evaluation also included review of controls established\nto protect the Commission from waste, fraud, and abuse by ensuring that only authorized work is\nperformed, work performed is within the scope of the contract, and task-order deliverables are\nmet. The evaluation also covered the Commission controls used to certify vendor payments\nprocessed through IPAC. This includes activities of the COTR and Contracting Officer (CO)\nfrom the time a task order was issued and executed. The evaluation did not include pre-award\nfunctions and activities.\n\nThe evaluation objective was to determine the adequacy, effectiveness, and sufficiency of\ncontrols to validate and verify that:\n\n        \xe2\x80\xa2       All work performed by SAIC was authorized.\n\n        \xe2\x80\xa2       Work performed by SAIC was within contract and task-order scope.\n\n        \xe2\x80\xa2       Task orders were within the scope of the contract.\n\n        \xe2\x80\xa2       SAIC and MSC invoices submitted to the Commission through IPAC were\n                accurate, complete, and allowable.\n\nMethodology\n\nTo achieve the evaluation objectives, we obtained, compared, and assessed applicable federal\nlaws, regulations, and guidance governing federal agency acquisition of information technology\nand services to the Commission\xe2\x80\x99s contract oversight policies, procedures, and practices. We also\nreviewed relevant Commission, DOT, and SAIC financial records and documents supporting\ninvoices to the Commission. This included tracing the Commission\xe2\x80\x99s task-order requests to MSC\nto support its work authorizations issued by MSC to SAIC. Further, we traced SAIC invoices\n\n\n                                                2\n\x0csubmitted to MSC to documents supporting the transfer of funds from the Commission to MSC in\nthe IPAC system.\n\nWe also performed the following:\n\n       \xe2\x80\xa2       Interviewed relevant Procurement and Contracting Branch (PCB) and Office of\n               Information Technology (OIT) officials and staff and Department of\n               Transportation (DOT) and MSC officials.\n\n       \xe2\x80\xa2       Gained an understanding of the Commission\xe2\x80\x99s contract oversight processes and\n               procedures and relevant Securities and Exchange Commissions Reviews (SECR)\n               in place during the evaluation period and changes occurring within the past two\n               years.\n\n       \xe2\x80\xa2       Gained an understanding of the PCB and OIT organizational structures and\n               operations.\n\n       \xe2\x80\xa2       Conducted tests of customer service agreements (task orders), management\n               oversight controls for issuing tasks, oversight and monitoring of contractor work,\n               work assignment, and invoice certification.\n\n       \xe2\x80\xa2       Compared the Commission\xe2\x80\x99s controls to those it used under similar agreements\n               with other federal agencies.\n\n       \xe2\x80\xa2       Assessed PCB and OIT processes and procedures used to modify task order\n               requests issued through customer service agreements.\n\nWe conducted this evaluation from September 2003 to March 2004 in accordance with\nGovernment Auditing Standards, as promulgated by the Comptroller General in the "yellow\nbook\xe2\x80\x9d for performance audits, and AICPA standards for consulting services. We used the\nfollowing federal and Commission established guidelines as criteria for this evaluation:\n\n       \xe2\x80\xa2       Federal Acquisition Regulation (FAR).\n\n       \xe2\x80\xa2       A Guide to Best Practices for Contract Administration, October 1994, issued by\n               the Office of Federal Procurement Policy (OFPP).\n\n       \xe2\x80\xa2       Federal Acquisition Streamlining Act of 1994 and other relevant legislation and\n               promulgated guidance.\n\n       \xe2\x80\xa2       Office of Management and Budget (OMB) Circulars A-127, Financial\n               Management Systems, and A-123, Management Accountability and Control.\n\n       \xe2\x80\xa2       Applicable Commission procurement and contracting regulations, policies,\n               guidance.\n\n\n\n\n                                               3\n\x0cBACKGROUND\n\nSince February 2000, the Commission has issued a series of task orders under the customer\nservice agreements with MSC (issued under Commission No. SECHQ1-00-H-0239 and\nmodifications). The purpose of these task orders was to obtain IT services from SAIC through\nMSC.\n\nThe MSC is a component of the DOT, and the customer service agreement was issued under\nMSC\xe2\x80\x99s Government-Wide Acquisition Vehicle (GWAC) known as Information Technology\nOmnibus Project (ITOP). ITOP is a multiple-award, indefinite delivery, indefinite quantity,\ncontract vehicle designed to provide federal agencies with a fast and efficient way to obtain IT\ntechnical services, hardware and software.\n\nCustomer service agreements and the related agency task orders are similar to contracts in that\nthey specify an agency\xe2\x80\x99s expectations, responsibilities, duties, and authorities, as well as provide\na statement of work, list of deliverables, invoicing procedures, supporting documentation, and\nreporting procedures. Depending on the complexity and nature of work covered, the agreements\nmay be large, formal documents describing all requirements or less formal reimbursable\nagreements.\n\nPCB (within the Office of Human Resources and Administrative Services (OHRAS), formerly\nthe Office of Administrative and Personnel Management), and OIT are responsible for issuing\ntask orders and performing contract oversight activities. Specifically:\n\n        \xe2\x80\xa2       PCB is responsible for purchasing and contracting for goods, services, supplies,\n                and equipment. It also is responsible for performing a variety of contract and\n                procurement activities including determining the appropriate type of contract for\n                services needed, and reviewing statements of work and justifications for other\n                than full and open competition.\n\n        \xe2\x80\xa2       OIT is responsible for developing and maintaining the Commission\xe2\x80\x99s IT\n                infrastructure and developing the IT security program, policies, and procedures.\n                OIT responsibilities include daily management of support functions for systems\n                and IT services, software development and maintenance, network and data\n                communication design and maintenance, design engineering and oversight of the\n                IT architecture, and configuration management and quality assurance group\n                management. OIT is responsible for writing statements of work and initiating\n                (when applicable) justifications for other than full and open competition.\n\nFrom February 2000 through December 2003, the Commission awarded 95 tasks with a total\nobligation of $29,255,686. From November 2001 through April 2003, the Commission awarded\n43 task orders with a total obligation of $10,918,699. During this period MSC\xe2\x80\x99s fee structure was\nbased on a percentage of costs (e.g., 10 to 15%) as well as direct charge amounts.\n\n\n\n\n                                                  4\n\x0cEVALUATION RESULTS\n\nThe following is a discussion of the findings that we noted during our evaluation and\nrecommendations designed to improve contract management oversight procedures.\n\n1.      Task Orders\n\nCommission task orders to the MSC provided some information, but were not sufficiently\ndetailed. Additional information would have better:\n\n        \xe2\x80\xa2       Defined the Commission\xe2\x80\x99s expectations.\n\n        \xe2\x80\xa2       Clarified and specified Commission and MSC contract oversight duties and\n                responsibilities for SAIC.\n\n        \xe2\x80\xa2       Identified deliverables.\n\n        \xe2\x80\xa2       Defined reporting requirements.\n\n        \xe2\x80\xa2       Specified invoicing procedures.\n\n        \xe2\x80\xa2       Clarified the agreed-upon MSC management fees and fee basis.\n\n        \xe2\x80\xa2       Specified the types of contracts available to the Commission through the ITOP\n                contract with SAIC.\n\nThe importance of clarifying respective roles (especially in a complex arrangement involving two\nfederal agencies and a contractor) was shown by an issue arising repeatedly during the contract.\nOIT technical staff questioned numerous invoices submitted by SAIC through the MSC. The\ntechnical staff felt the invoices were not sufficiently detailed and did not adequately support the\ncosts claimed (see the finding on certification of invoices, below). OIT technical staff did not\nclearly understand the limitations on their administrative duties under the contract, since the\nCommission was paying MSC to be responsible for contract administration.\n\nIn June 2004, the General Services Administration (GSA) and DOT entered into an agreement\nthat moved ITOP to GSA. Additionally, DOT announced that no new task orders or modifications\nto existing tasks would be accepted by DOT for ITOP and that all existing work would cease on\nSeptember 30, 2004 (later extended to December 31, 2004). As a result of these actions, we are\nnot making recommendations relating to modifications of existing task orders to MSC. Our\nrecommendation relates to better defining future task orders.\n\n        Recommendation A:\n\n        The Office of Human Resources and Administrative Services should revise its existing\n        policies and procedures to help ensure that task orders under GWAC-type vehicles\n        clearly describe the services being requested, management fees, deliverables,\n        performance period, invoicing procedures, and other required information.\n\n\n\n\n                                                  5\n\x0c2.      Management Fees\n\n\nDuring the period of our evaluation, MSC invoiced the Commission for $11,566,646; of this\namount, $10,428,199 was for SAIC\xe2\x80\x99s services, and $1,138,447 was for management fees.\nMSC management fees were a combination of percentage of costs (ranging from 10 to 15\npercent) and direct charges.\n\nAlthough the Commission\xe2\x80\x99s task orders contained a line item for an MSC fee, none of the task\norders disclosed either the fee amount or percentage. We identified the management fee only by\nreviewing documentation maintained by MSC in its contract files. The Commission COTR was\nunaware of the amount of the fees or how they were derived.\n\n        Recommendation B\n\n        The Office of Human Resources and Administrative Services, in consultation with the\n        Office of General Counsel and the Office of Financial Management, should submit a\n        written request to MSC asking it to review whether the fees billed to the Commission\n        were consistent with the fee structure in the ITOP contract.\n\n3.      Invoice Certification\n\nMSC submitted SF 1081s and billing statements as support for reimbursement against\nCommission funds held at Treasury. The Commission received SF 1081s showing dollar amounts\ntransferred by Treasury from the Commission fund account to MSC.\n\nFor instance, in January 2003, Treasury transferred $438,429 from the Commission to MSC\nunder the contract; accompanying this document was MSC\xe2\x80\x99s Invoice No. 40. The MSC invoice\nincluded the primary account number, secondary account code, description of service, current\nhours by account code, and monthly charges incurred during the period November 9 through\nDecember 6, 2002. The invoice did not include timesheets or other information to confirm that\nhours billed were actually worked by SAIC personnel.\n\nThe COTR (assisted by the OIT technical staff) was required to certify the charges or take\nexception to the billing. The OIT technical staff repeatedly raised questions about the amount of\nthe invoices and how they were derived. OIT verbally requested that MSC provide a detailed\nbreakdown of the labor hours for each task order. MSC was unable to accommodate this request\nbecause it did not have this information, but the COTR certified the invoices anyway (so that\nSAIC would continue to provide services under the contract).\n\nUnder the MSC contract, the DOT COTR was responsible for the accuracy of SAIC billings, as\npart of DOT\xe2\x80\x99s contract administration duties (which the Commission paid for in its fee).\nHowever, OIT staff did not clearly understand this contract provision (in part because of staff\nturnover in OIT, according to PCB).\n\nDuring our review of SAIC invoices at MSC, we inquired of MSC and DOT personnel about\nwhether any detailed supporting documentation, such as timesheets or a listing of names of SAIC\npersonnel and subcontractors that worked on Commission tasks, accompanied the invoices. We\nwere informed that they did not have this documentation, and that it would have to be obtained\ndirectly from SAIC.\n\n\n\n                                                6\n\x0cDuring the evaluation, we obtained a list of personnel from SAIC who charged hours against the\nvarious MSC task orders for work performed at the Commission. We submitted the list to\nindividual OIT task managers for confirmation and verification. We specifically asked the task\nmanagers if they knew the individuals and if they knew the individuals had worked on the\nspecific tasks for which the hours were billed. From this test, we determined that the task\nmanagers could not verify 25,021.75 hours worked by 41 SAIC personnel invoiced at $961,081.\n\nGiven the circumstances described above, an audit of the timesheets and other documentation\nsupporting the invoices appears appropriate.\n\n       Recommendation C\n\n       The Office of Human Resources and Administrative Services should require COTRs and\n       related technical staff to attend refresher training once every three years on contract\n       administration (including certifying invoices).\n\n       Recommendation D\n\n       The Office of Human Resources and Administrative Services, in consultation with the\n       Offices of Information Technology, General Counsel and Financial Management should\n       request that the Defense Contract Audit Agency (the cognizant audit agency for SAIC)\n       perform an audit of specified task orders under the MSC customer agreement.\n\n       Recommendation E\n\n       The Office of Information Technology should develop appropriate procedures for its\n       COTRs to follow in certifying contractor invoices.\n\n       OIT indicated that it will develop procedures that OIT COTRs are to follow when\n       certifying contractor invoices. These procedures will be based on SECR 10-15:\n       Contracting Officer\xe2\x80\x99s Technical Representative (COTR) and Inspection and Acceptance\n       Official (IOA), dated November 4, 2004.\n\n\n\n\n                                               7\n\x0c'